RE: AAA

If you have no AAA server and you want to control commands users gain access
to without changing privilege levels then parser views or role based
authentication is the way to go

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
estela Mathew
Sent: Sunday, May 23, 2010 3:32 PM
To: Paul Stewart
Cc: Cisco certification; GS
Subject: Re: AAA

Hello Friends,

What i understand from your above mail is:

That means the below commands :

aaa authorization exec 123 local, aaa authorization commands 6 123 local,
aaa authorization configure-commands

will be only authorize when i will set a particular user to a particular
privilege level, when i apply authorization on a line vty,the users who are
telnetting and using a enable secret privilege level password of their
privilege and only those command will be authorize,

To verify the authorization commands i have to login by their privilege
level and i have to check for those command which they are not permitted.Am
i correct????

*Please correct me if i m wrong???????*

If suppose the users is violating his privilege level by typing unnecessary
commands for which he is not permitted how i can trace that,i hope i have to
do accounting for them,what are the show commands?????? that i can see the
users has violated certain commands for which he doesn't have permission.

Thanks

On Sun, May 23, 2010 at 9:09 PM, Paul Stewart <pestewart_at_gmail.com> wrote:

> You CANNOT do local command authorization. You CAN do local exec
> authorization. The difference is that with command authorization-user
enters
> a command that their priv-lvl allows them access to. The command is sent
to
> the TACACS+ server as an authorization request. If the associated user is
> granted access, author is permitted. If not, author fails.
>
> With exec authorization, we are assigning a priv-lvl to a users session.
> Commands can be moved between privilege level in order to meet
requirements.
> Exec authorization can still be combined with command authorization to add
> granularity. In that case, only commands that are permitted by the
priv-lvl
> will be sent to TACACS+ for command authorization.
>
>
>
>
> On May 23, 2010, at 10:02 AM, estela Mathew <estelamathew_at_gmail.com>
> wrote:
>
> Hello friends,
>>
>> I want to do authorization for a user locallly on the router i dont have
a
>> TACACS OR RADIUS how i can achieve that.
>>
>> Suppose if i enable
>>
>> aaa authorization exec 123 local,
>>
>> line vty 0 4
>> authorization exec 123
>>
>> Which user will be authorized and what commands fall in *exec* which will
>> be
>> authorized???
>>
>> The same if i do with
>>
>> aaa authorization commands 6 123 local
>>
>> aaa authorization config-commands
>>
>> what i will achieve by the above commands?????????
>>
>> I have read the AAA user guide but no proper example for verification.
>>
>> Can anybody help me a good book to clear the concepts of AAA.

Blogs and organic groups at http://www.ccie.net
Received on Sun May 23 2010 - 19:07:07 ART